National retailer Marks & Spencer (M&S) has shared a further update on a cyber attack which has resulted in customer data being taken.

Following the attack, which took place on 22 April 2025, M&S suspended online orders as it continued to battle against the cyber incident.

The status of the suspension is unchanged and M&S has taken further steps by engaging with “leading cyber security experts”.

An updated statement said: “As part of our proactive management of the incident, we have taken steps to protect our systems and engaged leading cyber security experts. We have also reported the incident to relevant government authorities and law enforcement, who we continue to work closely with.

“We are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken. Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared.

“We have said to customers that there is no need to take any action. For extra peace of mind, they will be prompted to reset their password the next time they visit or log onto their M&S account and we have shared information on how to stay safe online.

“We remain grateful for the support that our customers, colleagues, partners and suppliers have shown us during this time.”

Have you read: How good is your backup solution?